W32.Sober.X@mm
W32.Sober.X@mm is a severe mass-mailing computer worm that lowers the security settings of the compromised computer using its own SMTP engine. The worm's messages sent to contacts are either in English and German. It was created in November 14th, 2005, discovered November 19th, 2005, and is part of the Sober family of worms. Payload When executed, W32.Sober.X@mm performs the following actions: #Displays a message with the following text: Title: WinZip Self Extractor Body: Error in packed Header #Copies itself as the following files: #*%Windir%\WinSecurity\csrss.exe #*%Windir%\WinSecurity\services.exe #*%Windir%\WinSecurity\smss.exe Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. #Creates the following files, which are MIME-encoded .zip files that contain a copy of the worm: #*%Windir%\WinSecurity\socket1.ifo #*%Windir%\WinSecurity\socket2.ifo #*%Windir%\WinSecurity\socket3.ifo #Creates the following non-malicious files, which will be used by the worm for email harvesting and as internal flags: #*%Windir%\WinSecurity\mssock1.dli #*%Windir%\WinSecurity\mssock2.dli #*%Windir%\WinSecurity\mssock3.dli #*%Windir%\WinSecurity\winmem1.ory #*%Windir%\WinSecurity\winmem2.ory #*%Windir%\WinSecurity\winmem3.ory #*%Windir%\WinSecurity\sysonce.tst #*%Windir%\WinSecurity\starter.run #*%Windir%\WinSecurity\nexttroj.tro #Creates the following zero byte files in an attempt to stop previous versions of the W32.Sober@mm worm from running: #*%System%\nonrunso.ber #*%System%\langeinf.lin #*%System%\filesms.fms #*%System%\runstop.rst #*%System%\rubezahl.rub #*%System%\bbvmwxxf.hml Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). #Attempts to end the following processes: #*mrt.exe #*asw*.tmp #Attempts to end processes that contain any of the following strings: #*microsoftanti #*gcas #*gcip #*giantanti #*inetupd. #*nod32kui #*nod32. #*fxsbr #*avwin. #*guardgui. #*aswclnr #*stinger #*hijack #*sober #*brfix #*s_t_i_n #*s-t-i-n #Displays the following message if any of the above processes end: Title: Antivrus Body: No Viruses, Trojans or Spyware found! Status: OK #Retrieves the value of the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\LUALL.EXE which by default points to %ProgramFiles%\Symantec\LiveUpdate\LUALL.EXE and overwrites the target file with a copy of itself. Note: %ProgramFiles% is a variable that refers to the Program Files folder. By default this is C:\Program Files for all Windows versions. #Executes a copy of the worm each time LiveUpdate is launched , and displays one of the following message boxes, depending on the internet connectivity of the compromised computer: Title: LiveUpdate {Symantec} Body: Thank the user for using LiveUpdate. All of the Symantec products and components are currently up-to-date. Title: LiveUpdate {Symantec} Body: No Connection! #Removes all the files matching the following name criteria in order to disable LiveUpdate: #*%ProgramFiles%\Symantec\LiveUpdate\a*.exe #*%ProgramFiles%\Symantec\LiveUpdate\luc*.exe #*%ProgramFiles%\Symantec\LiveUpdate\ls*.exe #*%ProgramFiles%\Symantec\LiveUpdate\luu*.exe Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files. #Sets a marker, which consists of a byte value located in the worm executable's header, every time the worm copies itself. This marker determines the functionality of each individual copy of the worm. There are five different marker values that signify different actions. #Adds the value: " Windows " = %Windir%\WinSecurity\services.exe" to the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that it runs every time Windows starts. #Adds the value: "_Windows " = %Windir%\WinSecurity\services.exe" to the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run so that it runs every time Windows starts. #Adds the value: "command" = ""%1" %+" to the following registry subkey: HKEY_CLASSES_ROOT\exefile\shell\open #Ends the following service on computers running Windows XP SP2: Name: vscsvc Display Name: Security Center in order to disable the Windows Security Center. #Tries to patch the TCPIP.SYS driver of Windows XP SP2 machine, in the following folders: #*%System%\drivers\TCPIP.SYS #*%System%\dllcache\TCPIP.SYS #*%Windir%\ServicePackFiles\i386\TCPIP.SYS Note: '''The worm is able to patch different versions of the TCPIP.SYS file (build 2180,2505, 2631, 2685) by modifying the checksum of the file and changing the number of allowed half-open connections (a security fix introduced by Microsoft Security Bulleting MS05-019).This change alters the normal functioning of TCP/IP protocol and may cause Network problems. #Attempts to download and execute the following file from the Internet, starting the 6th of January 2006: http:// home.pages.at/Gruppfelhuber/REMOVED/Sober.exe The worm may also attempt to download a file from one of the following domains and save it to %Windir%\WinSecurity\attacke.exe before execution: #*people.freenet.de #*scifi.pages.at #*home.pages.at #*free.pages.at #*home.arcor.de The files to be downloaded will change every week. For example, the following files will be downloaded on Jan 20th, 2006: #*http:// people.freenet.de/REMOVED/zxh.exe #*http:// people.freenet.deREMOVED/nwwod.exe #*http:// people.freenet.de/REMOVED/kevdw.exe #*http:// people.freenet.de/REMOVED/buactpcw/dkgo.ayc #*http:// people.freenet.de/REMOVED/tgktr.exe #*http:// people.freenet.de/REMOVED/xcd.sax #*http:// people.freenet.de/REMOVED/atgzj.exe #*http:// scifi.pages.at/REMOVED/upsm.kkp #*http:// home.pages.at/REMOVED/vauz.ecpf #*http:// free.pages.at/REMOVED/cvmi.xxxc #*http:// home.arcor.de/REMOVED/yozz.bva #*http:// home.arcor.de/REMOVED/vvdoo.exe #*http:// home.arcor.de/REMOVED/aefgm.exe #*http:// home.arcor.de/REMOVED/ennn.exe #*http:// home.arcor.de/REMOVED/okfev.exe #*http:// people.freenet.de/REMOVED/yyu.exe #*http:// people.freenet.de/REMOVED/yazni.exe #*http:// people.freenet.de/REMOVED/eddjj.exe #*http:// people.freenet.de/REMOVED/fusg.daa #*http:// people.freenet.de/REMOVED/hithv.exe #*http:// people.freenet.de/REMOVED/ubf.glb #*http:// people.freenet.de/REMOVED/bfuwz.exe #*http:// scifi.pages.at/REMOVED/zgfv.ttp #*http:// home.pages.at/REMOVED/lgtt.ozxt #*http:// free.pages.at/REMOVED/eaix.qjee #*http:// home.arcor.de/REMOVED/yodd.vbw #*http:// home.arcor.de/REMOVED/cxjza.exe #*http:// home.arcor.de/REMOVED/lwrdc.exe #*http:// home.arcor.de/REMOVED/xwww.exe #*http:// home.arcor.de/REMOVED/vcpoj.exe #*http:// people.freenet.de/REMOVED/ryl.exe #*http:// people.freenet.de/REMOVED/mhfasfsi/rhsup.exe #*http:// people.freenet.de/REMOVED/nhhgg.exe #*http:// people.freenet.de/REMOVED/mrty.uqm #*http:// people.freenet.de/REMOVED/uwmud.exe #*http:// people.freenet.de/REMOVED/cud.ajf #*http:// people.freenet.de/REMOVED/yzzjc.exe #*http:// scifi.pages.at/REMOVED/ikzfpaoozw/jrhk.iio #*http:// home.pages.at/REMOVED/lzxz.lwlx #*http:// free.pages.at/REMOVED/wblc.ffdw #*http:// home.arcor.de/REMOVED/djuu.gyu #*http:// home.arcor.de/REMOVED/zzgff.exe #*http:// home.arcor.de/REMOVED/dxmkg.exe #*http:// home.arcor.de/REMOVED/ghhh.exe #*http:// home.arcor.de/REMOVED/tpywp.exe #Attempts to use one of the following DNS servers: 4.2.2.3 24.93.40.33 38.9.211.2 62.156.146.242 65.98.70.107 67.18.208.130 69.20.54.201 69.93.9.167 70.84.250.212 70.85.116.133 70.85.209.148 128.135.5.5 128.194.254.2 128.8.74.2 128.83.139.9 128.9.176.32 129.115.102.150 129.186.1.200 129.187.10.25 129.187.16.1 130.149.2.12 131.215.254.100 131.215.254.100 131.243.64.3 134.94.80.2 147.28.0.39 151.201.0.39 158.43.128.1 193.158.124.143 193.174.26.133 194.206.126.200 194.231.195.79 194.25.2.129 194.87.0.9 195.182.96.29 195.185.185.195 198.6.1.2 198.87.87.38 200.52.83.103 200.74.214.246 203.178.136.36 204.117.214.10 204.127.160.3 204.60.0.3 205.166.226.38 207.217.120.43 207.69.188.186 209.253.113.2 209.68.2.46 209.68.63.250 212.242.88.2 213.218.170.6 213.239.234.108 216.194.225.70 217.237.150.225 217.237.151.161 219.127.89.34 #Checks the network connection of the compromised computer, and the current date, by connecting to one of the following NTP servers on TCP port 37: #*Rolex.PeachNet.edu #*clock.psu.edu #*cuckoo.nevada.edu #*gandalf.theunixman.com #*nist1.datum.com #*ntp-1.ece.cmu.edu #*ntp-2.ece.cmu.edu #*ntp-sop.inria.fr #*ntp.lth.se #*ntp.massayonet.com.br #*ntp.metas.ch #*ntp.pads.ufrj.br #*ntp0.cornell.edu #*ntp1.arnes.si #*ntp1.theremailer.net #*ntp2.ien.it #*ntp2b.mcc.ac.uk #*ntp2c.mcc.ac.uk #*ntp3.fau.de #*ntps1-1.uni-erlangen.de #*ptbtime2.ptb.de #*rolex.usg.edu #*st.ntp.carnet.hr #*sundial.columbia.edu #*swisstime.ethz.ch #*tick.greyware.com #*time-a.timefreq.bldrdoc.gov #*time-ext.missouri.edu #*time.chu.nrc.ca #*time.ien.it #*time.kfki.hu #*time.mit.edu #*time.nist.gov #*time.nrc.ca #*time.windows.com #*time.xmission.com #*timelord.uregina.ca #*tock.keso.fi #*utcnist.colorado.edu #*vega.cbk.poznan.pl #*time.windows.com #Gathers email addresses from files with the following extensions: #*.abc #*.abd #*.abx #*.adb #*.ade #*.adp #*.adr #*.asp #*.bak #*.bas #*.cfg #*.cgi #*.cls #*.cms #*.csv #*.ctl #*.dbx #*.dhtm #*.doc #*.dsp #*.dsw #*.eml #*.fdb #*.frm #*.hlp #*.imb #*.imh #*.imh #*.imm #*.inbox #*.ini #*.jsp #*.ldb #*.ldif #*.log #*.mbx #*.mda #*.mdb #*.mde #*.mdw #*.mdx #*.mht #*.mmf #*.msg #*.nab #*.nch #*.nfo #*.nsf #*.nws #*.ods #*.oft #*.php #*.phtm #*.pl #*.pmr #*.pp #*.ppt #*.pst #*.rtf #*.shtml #*.slk #*.sln #*.stm #*.tbb #*.txt #*.uin #*.vap #*.vbs #*.vcf #*.wab #*.wsh #*.xhtml #*.xls #*.xml The worm avoids sending itself to email addresses containing the following strings: #*-dav #*.dial. #*.kundenserver. #*.ppp. #*.qmail@ #*.sul.t- #*@arin #*@avp #*@ca. #*@example. #*@foo. #*@from. #*@gmetref #*@iana #*@ikarus. #*@kaspers #*@messagelab #*@nai. #*@panda #*@smtp. #*@sophos #*@www #*abuse #*announce #*antivir #*anyone #*anywhere #*bellcore. #*bitdefender #*clock #*detection #*domain. #*emsisoft #*ewido. #*free-av #*freeav #*ftp. #*gold-certs #*google #*host. #*icrosoft. #*ipt.aol #*law2 #*linux #*mailer-daemon #*mozilla #*mustermann@ #*nlpmail01. #*noreply #*nothing #*ntp- #*ntp. #*ntp@ #*office #*password #*postmas #*reciver@ #*secure #*service #*smtp- #*somebody #*someone #*spybot #*sql. #*subscribe #*support #*t-dialin #*t-ipconnect #*test@ #*time #*user@ #*variabel #*verizon. #*viren #*virus #*whatever@ #*whoever@ #*winrar #*winzip #*the user@ #*the userrname #Selects an SMTP server from the following list: #*tombrider.ealaddin.com #*INBOUND.HAURI.COM.NETSOLMAIL.net #*cat.asw.cz #*Command.com #*udcmail01.udc.TrendMicro.com #*norman.norman.no #*mail1.Sophos.com #*mail.DrWeb.com #*etrn.nextra.cz #*mx1.F-Secure.com #*group-4.is-rvk.aves.F-Prot.com #*redir-mail-telehouse1.gandi.net #*mail.freeav.de #*scanlab01.mymailwall.at #*sncwsrelay1.nai.com #*excu-mxib-1.symantec.com #*relay.heise.de #*mx.nyc.untd.com #*mx1.mail.yahoo.com #*mx-ha01.web.de #*mx0.gmx.de #*mx0.gmx.net #*gsmtp57.google.com #*gsmtp171.google.com #*maila.microsoft.com #*smtp1.google.com #*mail-kr.bigfoot.com #*mxbw.bluewin.ch #*mxiab.bluewin.ch #*mxzhh.bluewin.ch #*mx.arcor.de #*lycos-com.mr.outblaze.com #*eforward5.name-services.com #*gold.internet-media.net #*sitemail2.everyone.net #*in1.smtp.messagingengine.com #*inbound.canada.com.criticalpath.net #*mail.cambridge.com #*icq-mr1.icq.com #*mx1.icq.mail2world.com #*smtp00.fbi.gov #*relay2.ucia.gov #*mailhost.ip-plus.net #*mg1.w-o-r-l-d.net #*mail.softhome.net #*smtp.sbcglobal.yahoo.com #*smtpauth.bluewin.ch #*mail.postman.net #*smtpauth.earthlink.net #*smtp.ameritech.yahoo.com #*smtp.mail.ru #*smtp.mail.yahoo.co.uk #*smtp.compuserve.de #*post.strato.de #*smtp.gmail.com #*smtp.aol.com #*smtp.web.de #*mail.arcor.de #*smtp.1und1.de #*smtp.lycos.de #*smtp.googlemail.com #*mx.freenet.de #*smtp.mail.yahoo.com #*auth.smtp.kundenserver.de #*smtp.isp.netscape.com #*relay.clara.net #Attempts to send a copy of itself to the email addresses gathered using one of the SMTP servers selected above. The email may be in either English or German, and has the following characteristics: '''German: From: SPOOFED Subject: One of the following: #* #* #* #* #* #* #* #* Message: One of the following: #* #* #* #* Attachment: One of the following: #*1.zip #*1-TextInfo.zip #*Email.zip #*Email_text.zip #*2.zip #*Akte2.zip #*3.zip #*3_Text.zip #*Ebay.zip #*Ebay-User_RegC.zip where the variable 1 is one of the following strings: #*Service #*Webmaster #*Postman #*Info #*Hostmaster #*Postmaster #*Admin and the variable 2 is one of the following strings: #*Downloads #*BKA #*Internet #*Post #*Anzeige #*BKA.Bund and the variable 3 is one of the following strings: #*Kandidat #*WWM #*Auslosung #*Casting #*Gewinn #*Info #*RTL-Admin #*RTL #*Webmaster #*RTL-TV English: From: SPOOFED Subject: One of the following: #* #* #* #* #* #* #* #* Message: One of the following: #* #* #* #* #* Attachment: One of the following: #*reg_pass.zip #*reg_pass-data.zip #*mail.zip #*mail_body.zip #*mailtext.zip #*listCHARACTERS.zip #*question_listCHARACTERS.zip #*downloadm.zip The attachment will contain the following file, which is a copy of the worm: File-packed_dataInfo.exe Stats Wild *Medium *More than 1000 *More than 10 *Low *Easy *Moderate Damage *Medium Distribution *High Category:Mass mailer worm Category:Worm Category:Win32 Category:Win32 worm Category:Microsoft Windows Category:SMTP engine worm Category:Email worm